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Abstract 

Studies of the United States Space Transpor- 
tation System show that In the m1d-to-1ate 1990s 
expanded capabilities for Orbital Transfer Vehicles 
(OTV) will be needed to meet Increased payload 
requirements for transporting materials and men to 
geosynchronous orbit. The requirement to provide 
manratlng offers challenges and opportunities to 
the propulsion system designers. To provide a 
perspective on manrating, this paper reviews the 
propulsion approaches utilized In previous manned 
space vehicles of the United States. The princi- 
pals of reliability analysis are applied to the 
Orbit Transfer Vehicle. Propulsion system options 
are characterized In terms of the test requirements 
to demonstrate reliability goals and are compared 
to earlier vehicle approaches. 

Introduction 

From the earliest days of the United States 
Space Program, the Issues concerning man In space 
have challenged the vehicle designers. This paper 
presents discussions, observations, and analysis 
of propulsion Sisteui characteristics for manrating 
an advanced Orbit Transfer Vehicle. 

For the 1990s and beyond It Is envisioned that 
an Integrated Space Transportation System consist- 
ing of the Space Shuttle, a Space Station, an Orbit 
Maneuvering Vehicle, and an Orbit Transfer Vehicle 
will exist to deploy, service, and retrieve pay- 
loads In high or geosynchronous orbit (GEO). The 
system would operate as shown In Fig. 1. In this 
scenario, the Space Shuttle would deliver and 
return payloads to the station located in low earth 
orbit. Potential payloads would Include spacecraft 
to be placed In higher orbits, Orbit Transfer 
Vehicles, and propellants to transport them, as 
well as supplies for the space station and free 
flying platforms for low earth orbit. It Is 
envisioned that in addition to its scientific and 
Industrial roles, the space station will become the 
operations and service center for Orbit Transfer 
Vehicles. Payloads from the Shuttle would be mated 
to the OTV, propellants loaded and prelaunch 
checkouts conducted. Upon return the OTV would 
rendezvous with the Space Station, payloads would 
be retrieved, and maintenance performed to ready 
the OTV for the next mission. The Orbit Maneuver- 
ing Vehicle would serve as the utility spacecraft 
for low earth orbit. It transfers payloads and 
supplies between the Shuttle and Space Station as 
well as places, retrieves, and services free-flying 
satellites In low earth orbits. The Orbit Transfer 
Vehicle would operate primarily between low earth 
orbit and geosynchronous orbit as a reusable 
spacecraft and as an expendable vehicle for 
planetary missions. 

It is envisioned that the advanced OTV will 
be a reusable vehicle, based and maintained pri- 
marily at the space station. The majority of Its 
missions will be to deliver satellites to geosyn- 
chronous orbit. The vehicle will also be manrated 


for servicing missions at geosynchronous orbit. 
Furthermore, it will be a versatile vehicle which 
can be used for planetary transfers and delivery 
of large, acceleration limited space structures to 
geosynchronous orbit. The vehicle will Incorporate 
some fr-m of aeroassist on return to the low earth 
orbit as shown In Fig. 2. This maneuver uses the 
drag Induced by the earth's atmosphere to reduce 
the OTV velocity and thereby reduces the propel- 
lants required for the retroburn. 

The characteristics of the advanced OTV are 
the subject of ongoing NASA studios,, “ as well 
as earlier Space Station studies. The role 
of the Orbit Transfer Vehicle In placing, retriev- 
ing, and servicing payloads In high earth orbits 
represents a significant departure from current 
design and operational philosophy for upper stages 
and Is driven by the need to achieve significant 
reductions In payload placement costs and provide 
manned operations beyond low earth orbit. The 
requirement to provide manrating of the OTV offers 
a number of opportunities and challenges to the 
propulsion system designers. 

United States Space Program Manratlng 
Experience 

Each new spacecraft and vehicle system In the 
space program has brought with it a unique set of 
conditions In terms of the fiscal, political, 
legal, regulatory, military, and technical envi- 
ronments. As such, what manrating Is, and how and 
when It is achieved have differed considerably. 
Manrating, in the most general sense, can only be 
specified within a given environment. It is only 
the perception that all practical effort has been 
expended to eliminate life-threatening events and 
provide for safe return to earth of the space 
traveler. Many of the techniques utilized by 
designers to eliminate risk and increase system 
confidence have been built upon the foundations of 
previous manned space projects. Although each was 
unique in Its environment, a reliance on redun- 
dancy, comprehensive quality assurance, and testing 
have been the cornerstones. 

Project Mercury 

Project Mercury began with a series of sub- 
orbital flights launched by the Redstone ballistic 
missile. These were followed by orbital flights 
lofted by the Atlas ballistic missile. Because of 
the urgency of the program, no major modifications 
were possible prior to committing to manned flight. 
However, an Intensive Inspection effort was insti- 
tuted to select each missile component to ensure 
that each was as close to the nominal design point 
as possible. As an ar^U’d precaution, a simple 
solid propellant escapj rocket was added to the 
capsule. Monopropellant hydrogen peroxide was used 
for attitude control and solid propellant motors 
for deorbit. Both systems Incorporated redundant 
units. 
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Project Gemini 

Project Gemini, wtilch followed Mercury, relied 
upon the Titan II ballistic missile as the booster. 
Early In tht project, It was felt that the Titan II 
could be used without substantial change. However, 
during flight tests a serious problem was encoun- 
tereo. The rocket could develop large oscillating 
acceleration loads (POGO) which would endanger the 
astronauts life. Significant modifications to the 
Titan II were required to eliminate this hazardous 
situation. The escape rocket of the Mercury 
Project was replaced by ejection seats. Simple 
pressure fed hypergollc propellants were used for 
the attitude control and maneuver thrusters. 
Redundancy was once again used In the attitude 
control and maneuver thrusters, as well as the 
solid propellant deorbit rockets. In addition, the 
maneuver thrusters acted to "backup" the deorbit 
rockets. They were capable of placing the capsule 
Into a fall safe orbit which would reenter the 
atmosphere even If the deorbit rockets failed to 
function. 

Project Apollo 

Project Apollo ushered In a new err In manned 
space flight. For the first time, the ta1 
vehicle system was designed with manned missions 
as the focus. No longer did adaptations of bal- 
listic missiles suffice, As expressed In "What 
Made Apollo a Success, "The primary consider- 
ation governing the design of the Apollo system was 
that, If It could be made so, no single failure 
should cause loss of any crew member, prevent the 
successful continuation of the mission, or, In the 
event of a second failure In the same, prevent a 
successful abort of the mission." In applying this 
philosophy to the propulsion system elements, each 
mission phase was analyzed so that, when feasible, 
a credible backup means of safe return was avail- 
able. Backup propulsion was available up through 
the lunar landing. At this point, an extremely 
simple engine was utilized for the ascent stage, 
it was pressure fed with hypergollc propellants to 
ensure Ignition. Quad redundant valves were 
incorporated since they represented the most prob- 
able failure point. The thrust chamber was abla- 
tlvely cooled. It was designed as though It were 
a structural element and had significant safety 
margins. 

This type of engine was also used on the ser- 
vice module since it had no backup for the lunar 
escape burn. Prior to this, the lunar descent 
engine acted as the backup. 

It was during the Apollo Program that the 
concept of "limit testing" was Invoked to provide 
the means to control test costs while meeting the 
requirements for manned flight. Hardware was sub- 
jected to testing significantly in excess of the 
mission requirements - pushing to the limit. The 
mission requirements of the third stage of the 
Saturn V called for an engine burn application of 
51)0 sec, but each engine possessed a minimum usable 
life of 3750 sec. Limit testing provided the means 
to demonstrate reliability and confidence without a 
prohibitively large test sample hardware cost. 

This combination of component redundancy, 
backup redundancy, limit testing, and a comprehen- 
sive quality assurance program provided the Apollo 
manrating. 


Shuttle 

The Shuttle Prograir brought further change and 
refinement to the manne>' space program. The con- 
cept of a reusable spacecraft was introduced. This 
meant much longer operating times, more cycles, 
refurbishment/scrvicing - new challcngei to a space 
program which had been built on expendable hard- 
ware. The Shuttle was also distinctive In that the 
first flight carried men. Earlier programs had 
flown several test flights prior to "manrating."* 
The techniques developed In these earlier programs 
provided the needed confidence for the Shuttle, 

Component and backup system redundancy Is used 
extensively within the Shuttle. For example, there 
are five main computers configured Into redundant 
sets and three Auxiliary Power Units. The two 
solid rocket motors and three Shuttle main engines 
provide capability for safe return to Earth in the 
event of failures. The deorblt capability Is 
derived from the dual engines of the Orbit Maneuver 
System. These pressure fed engines are fueled by 
hypergollc propellants from redundant tank sets. 

The feed lines are crossl Inked so that sufficient 
propellants are available to either engine to 
deorblt in the event of a failure. In addition, 
these redundant engines are "backed up" by auxil- 
iary propulsion thrusters which are certified for 
extended duration burns. They are crosslinked to 
the main propellant supplies in addition to the 
auxiliary propulsion supply. 

OTV Manrating 

As we advance Into the 1990s, the environment 
within which we define "nianrating" Is continuing 
to change. Having demonstrated the technical 
feasibility of space exploration we now seek to 
exploit the benefits of space. In this environment 
cost effectiveness has become a predominant con- 
cern. This requires incorporation of new technol- 
ogies and reduced margins to Improve performance 
and life. The design challenge Is to maintain 
safety for the manned missions while delivering 
cost effectiveness. 

The historical data base suggests that at 
least two main engines will be needed for a manned 
Orbit Transfer Vehicle. However, this heuristic 
approach of specifying redundancy doesn't resolve 
the questions of acceptable risk and best use of 
resources to minimize risk. For this, reliability 
analysis of the vehicle and propulsion approaches 
is needed. 

Reliability Analysis 

The optimum use of resources dictates that 
maximum system reliability be provided for minimum 
development and life cycle costs. However, the 
designer can only speculate as to what will be the 
system reliability goal ana then seek to provide 
the minimum cost approach. Factors Influencing the 
selection of the minimum cost approach include risk 
assessment, subsystem allocations, mission profile, 
tests costs, redundancy, and nonindependent failure 
probabilities. 

Risk Assessment 

Analysis of competitive OTV concepts requires 
that an overall system reliability goal be estab- 
lished which can then be passed down to compare 
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sutjs>'st£in options. While any goal could be Bstab? 
llslied for reliabilltv, a niore credible approach^ 
is to derive an overall system reliability based on 
comparative mortality risks. The objective is to 
provide a similar risk for the astronaut as 
encountered in other career fields. As shown in 
Fig, 3, an astronaut with a 10 mission career would 
need a OTV mission reliability of 0.999 be equiva- 
lent to an airline pilot risk over a 30-yr career. 

A deficiency in this method is that a comparable 
career must be chosen, as well as determining the 
mortality associated with that career. The data 
shown in Fig. 3 is for mortality data of 1969. 
Progress in safety and environmental health prp- 

f raiiis have reduced theve by nearly SO percent,^® 
f these trends continue, by the mid 1990s the OTV 
mission reliability will need to be -\/0.9995 to be 
comparable to mid 1990s commercial pilots. This 
compares to 0.999 for comparable mortality with 
1969 data. 

Subsystem A1 location 

After establishing OTV system reliability, 
allocation of acceptable levels of reliability to 
the subsystem is next. Several methods can be 
utilized. One approach would be to analyze each 
system and subsystem within the vehicle and opti- 
mize each reliability with respect to total devel- 
opment and life cycle cost. Those systems and 
subsystems which have low development and high life 
cycle costs would receive greater reliability 
requirements. Those with high development and low 
life cycle costs receiving lower reliability 
requirements. This would require more detailed 
description of the vehicle elements and has not 
been pursued for this paper. A simple approach 
based on historical data projections and analogy 
to existing systems has been utilized. In the 
case illustrated in Fig. 4 the main propulsion 
system contributes 25 percent of the total unreli- 
ability and must be 'vO.9999 to meet the selected 
manrating reliability point for the mid 1990s of 
0.9995. 

Mission Profile 

Having assigned the propulsion system a mis- 
sion reliability of 0,9999. it is necessary to 
analyze the OTV mission so that the single burn 
reliability can be determined, it is this relia- 
bility which is to be demonstrated by testing. 

Successful completion of a manned OTV mission 
to geosynchronous orbit will require at least four 
main propulsion burns - Geo transfer, Goo circu- 
larization, earth transfer, and Earth circulariza- 
tion. Multiple perigee burns may be used when 
additional payload capability is needed. Mid- 
course correction burns may also be needed. When 
these multiple burn scenarios are applied to the 
previously assigned propulsion reliability, Rp, 
the single burn reliability, Rcc, requirement^ 
must be increased with each adduional mission 
burn, N. 

Rsb = 1 - LIn - Rp] 

For a four burn mission, the single burn propulsion 
reliability would be 0,999975 and 0.9999875 for an 
eight burn mission. This becomes an important 
factor when the test costs to achieve high relia- 
bility are considered as shown in Fig, 5. Achiev- 
ing 0.999975 for a single engine would require 


^,27 000 tests and 0,999875 would require 55 000 
tests. With full up-engine test costs of up to 
10 000 dollars/tests, this would be one-half bil- 
lion dollars for reliability demonstration tests. 

It should be pointed out that testing for relia- 
bility is initiated only after a considerable 
oegree of system maturity has been obtained and 
further modifications are unlikely. 

Redundancy 

Clearly the test requirements for a single 
engine of 0,999975 or greater reliability are 
extreme. Redundancy can be utilized to signifi- 
cantly reduce the test requirements to achieve the 
oesired reliability. As illustrated in Table 1 for 
0.9999 propulsion reliability. Increasing the num- 
ber «of engines can reduce the test requirements 
significantly. This applies so long as the remain- 
ing engine(s) can successfully complete the 
mission. 

The redundancy approach can be extended beyond 
identical elements to Include different engine 
types or entire propulsion systems as long as the 
mission requirements can be met by the individual 
redundant elements. Thus, the reaction control 
propulsion was redundant to the deorbit propulsion 
in Project Gemini. 

8oth enabled the astronaut to deorbit. It 
should be noted that specifying redundancy 
requirements such as fail-operational or fail-safe 
are insufficient without a reliability requirement, 
Overall reliability, Rg, of redundant systems is 
high or low depending on the component reliability 
(Rc) and the number of redundant elements. 

RS = 1 - (1 - Rc)" 
honindependent Failures 

When redundant components are utilized in a 
system, the issue of nonindependent failures must 
be addressed. These are the failures which result 
in total loss of system ability to perform the 
required activities. For the OTV this would be 
loss of propulsion capability during the mission. 
These failures might be a result of a catastrophic 
explosive engine failure which terminates the 
function of adjacent engines. They could also be 
more subtle design, manufacturing, or maintenance 
flaws whicl) result in the loss of propulsion capa- 
bility from all engines or propulsion systems dur- 
ing the course of the mission. Examples of this 
type of failure include the failure of two .Shuttle 
Auxiliary Power Units on the STS 9 flight^' and 
the three engine failures on L-lOTl from faulty 
seal replacement. 

The nonindependent failure probabilillty, c, 
is incorporated into the calculation of propulsion 
system reliability, Rp, as^^ 

k 

j = 

where Re is the single engine, single burn reli- 
ability, C is the probability that an engine 
failure is not independent and will result in pro- 
pulsion system failures, and a cluster of n engines 
can operate with up to k engine failures, 
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As illustrated In iMn. 6, for a mission witii 
a total of eight main engine burns, the effect of 
nonindependent failures is to significantly 
increase the required single burn-single enidne 
reliability from that without nonindependent fail- 
ures. For exannle, to achieve the 0.9399 propul- 
sion mission reliability with two engines and 
3 percent nonindependent failures requires 0.999R 
single burn reliability, 0.99988 with 5 percent 
nonindependent failures but only 0.99 with nonin- 
uepenoent failures. As shown in Table 2 this can 
significantly increase the number of engine relia- 
bility tests. The sensitivity to nonindependent 
failures Increases as high mission propulsion 
reliability is sought. 

The absolute level of nonindependent failures 
is configuration specific and can be determined 
only through test and operation. Several rocket 
engines have had no operational failures and thus 
have had 0 percent nonindependent failures - thus 
far. Test stand results for engines of similar 
complexity to the envisioned OTv engines have 
yielded correlations of 5 to 7 percent. In view 
of this, assuming 5 percent nonindependent failures 
should result in a conservative design reliability. 
Every effort, of course, would be exerted to elim- 
inate all flaws and maintenance problems such that 
a 0 percent failure probability would be obtained. 

Manratinq Propulsion Approaches 

As previously discussed, redundancy is a pri- 
mary method of reducinu testing associated v;fth 
reliability certification. The design, fabrica- 
tion, inspection, quality control, and operational 
costs for the propulsion system are not likely to 
vary greatly over the range of reliability 
requirements. Thus, testing costs and schedule 
may be significant discriminators in defining the 
propulsion system. 

As seen in Figs. 7 and 8, the introduction of 
the nonindependent failure affects the benefits of 
aouing redundancy to the propulsion system. With 
0 percent nonindepenoent failures, increased 
redundancy reduces the number of tests required to 
achieve a reliability level, as shown earlier In 
Table 2. However, at higner levels of nonindepen- 
dent failure probability, the increased redundancy 
actually Increases the number of required tests, 

The crossover point for equal tests for additional 
engines is a function of overall reliability and 
number of mission burns and it decreases as these 
increase. An alternative to adding main engines 
is to provide a redundant b ickup propulsion capa- 
bility, APS. This system would be of an alterna- 
tive design to eliminate common design, 
manufacturing and maintenance defects. It would 
be located in a different area of the vehicle to 
reduce the probability of explosive nonindependent 
f ai lures. 

The use of a backup system Is introduced into 
the reliability analysis by first separating the 
propulsion system into the main and backup systems 
with their individual reliabilities. Then the main 
propulsion system is separated into single engine- 
single burn reliabilities for each engines. The 
nonindependent failure equation is used in both 
steps. The probability of nonindependent failures 
of the backup and main propulsion is used in the 
first step ana the probability of main engine 
nonindependent failure in the seconc step. 


As shown in Fig. 9, the introduction of a 
backup propuliilon system has the effect of desen- 
sitizing the Test requirements to main engine and 
backup propuTiion failures as compared to no backup 
propulsion. This reduces tlie number of tests. As 
shotvn in Fig. 10, a wide range of propulsion system 
reliability requirements can be accoiiunodated with 
very little change in number of tests. Also note 
in these figures that two engines without APS 
backup is mathematical ly equivalent to a single 
engine with APS backup. 

Based on these results, it woulo appear that 
a two main engine configuration is the appropriate 
choice for the anticipated nonindepenoent failure 
probabilities of '»5 percent. This remains valid 
down to 1 percent, where a three engine OTV would 
have lower test costs. Two engine vehicles also 
should have a life cycle cost advantage over 
greater engine numbers due to reduced system cost, 
maintenance and transportation charges. 

Utilization of a backup propulsion system 
would further reduce main engine tests and would 
parallel the deorbit capability In the Space Shut- 
tle. It provides the lowest test requirements down 
to >v0.1 percent nonindependent failures. Further- 
more, the Space Shuttle utilizes two engines backeo 
UD by auxiliary propulsion when returning from low 
earth orbit. This is analogous to the OTV return 
from geosynchronous orbit and selection of a simi- 
lar approach for OTV propulsion would be supported 
by historical precedent. 

Incorporation of backup prcpulsion, however, 
will likely depend on Its development and life 
cycle costs relative to performing additional main 
engine tests to demonstrate the required reliabil- 
ity. Costs for a suitable backup propulsion system 
are projected to be on the oraer of 50 million 
dollars. Additional main engine tests woulo cost 
no more than 50 percent of this amount. Offsetting 
this development cost penalty is the possibility 
that a true backup propulsion capability could 
reduce Insurance rates for the missions. Current 
rates are up to 20 percent of the payload value. 
Sources within the inuurance industry speculate 
that rates could be reduced by up to one-half for 
an OTV with the additional redundancy of auxiliary 
propulsion backup to the main engines. This would 
result in savings of upwards of 20 million dollars 
per flight for a 100 million dollar payload and 
100 million dollar OTV and propellant cost. These 
savings could be applieo toward development costs 
and the cost of carrying extra propellants tp off- 
set the lower performance of the backup propulsion. 

Concluding Remarks 

In the course of this paper we have reviewed 
that propulsion system approaches utilized for 
previous United States manrated vehicles. The 
systems have been very successful, inasmuch as 
there have been no fatalities or serious Injuries 
resulting from flight failures. Careful design, 
quality control, extensive testing and utilizing 
redundancy, and backup systems have been integral 
parts in the success record. 

The Orbital Transfer Vehicle designers will 
build upon this foundation, Reliability analysis 
will be one of their principal tools to resolve 
what manrating is when exploitation of space bene- 
fits rather than exploration is the objective. 
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Factors such as risk assessment, subsystem relia- 
bility, mission profile, redundancy and, nonlnde- 
pendent failure probabilities will be resolved. 

In this paper, Issues associated with these 
factors have been e>iplored. It appears that, In 
order to provide ar astronaut with a career mor- 
tality roughly equivalent to a commercial pilot, 
at least a two main engine configuration will be 
required, Nonindependent failures of redundant 
engines may represent a serious problem requiring 
many additional tests to assure that the reliabil- 
ity goal has been met, however, backup propulsion 
capability provided by an Independent auxiliary 
propulsion system reduces the number of tests and 
desensitizes the test requirements to changes In 
reliability goals and nonindependent failure prob- 
ability. Reductions In Insurance rates for an 
Orbital Transfer Vehicle with the additional 
redundancy of backup auxiliary propulsion could 
easily offset the Increased development and opera- 
tional costs. Furthermore, selection of a two-main 
engine system with backup auxiliary propulsion 
would be supported by historical precedent, The 
Space Shuttle utilizes two engines backed up by 
auxiliary propulsion to return from low earth orbit 
which Is analagous to the OTV returning from geo- 
synchronous orbit. 
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TABLE 1 . - EFFECT OF ENGINE REDUNDANCY ON 
RELIABILITY TEST REQUIREHENTS 


[0.9999 propulsion system reliability; 
50 percent confidence.] 


Number of 
engines 

Tests 

Testing 

cost, 

dollars 

Individual 

reliability 

1 

~7000 

70 000 000 

0.999 

2 

~70 

700 000 

.99 

3 

~7 

70 000 

.90 

4 

1 

10 000 

.684 


TABLE 2, - EFFECT OF FAILURE CORRE- 
LATION ON TEST REQUIREHENTS 


[Two engine configuration; four 
burn mission.] 


Correlation, 

percent 

Propulsion system 
reliability 

Tests 

0.997 

0.999 

0 

-150 

-270 

1 

-275 

-650 

5 

-1000 

-2700 

10 

-1900 

-6800 





MANEUVER 


Figure 2, - Aeroassisted vehicle maneuver. 
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Figure 3. - Manned OTV mission reliability requirenients for mortality risks of 
comparable professions, (ref 15). 
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Figure 4. -Manned OTV subsystem reliabilities Iref 15), 



NUMBER OF EVENTS WITHOUT FAILURE 

Figure 5.- Demonstrated reliability for tests 
performed. 




Figure 6, - Effect of correlation factor on propulsion 
system reliability for 8 burn misr ion . 



MAIN PROPULSION SYSTEM CORRELA- 
TION FACTOR, PERCENT 

Figure 7.- Engine tests for .9997 re- 
liability of 4 burn mission. 
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PROPULSION SYSTEM RELIABILITY GOAL (4) BURN MISSION) 

Figure 10. - Effect of backup propulsion APS on reliability test 
requirements, 



